qemu: process: SEV: Relabel guest owner's SEV files created before start

Before launching a SEV guest we take the base64-encoded guest owner's data specified in launchSecurity and create files with the same content under /var/lib/libvirt/qemu/<domain>. The reason for this is that we need to pass these files on to QEMU which then uses them to communicate with the SEV firmware, except when it doesn't have permissions to open those files since we don't relabel them. https://bugzilla.redhat.com/show_bug.cgi?id=1658112Signed-off-by: N Erik Skultety <eskultet@redhat.com> Acked-by: N Michal Privoznik <mprivozn@redhat.com>

qemu: process: SEV: Relabel guest owner's SEV files created before start
Before launching a SEV guest we take the base64-encoded guest owner's data specified in launchSecurity and create files with the same content under /var/lib/libvirt/qemu/<domain>. The reason for this is that we need to pass these files on to QEMU which then uses them to communicate with the SEV firmware, except when it doesn't have permissions to open those files since we don't relabel them. https://bugzilla.redhat.com/show_bug.cgi?id=1658112Signed-off-by: N Erik Skultety <eskultet@redhat.com> Acked-by: N Michal Privoznik <mprivozn@redhat.com>
7dc31fe5 · Erik Skultety · 2c4c7de1 · 7dc31fe5
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

src/qemu/qemu_process.c src/qemu/qemu_process.c +4 -0

未找到文件。
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6046,6 +6046,7 @@ qemuProcessSEVCreateFile(virDomainObjPtr vm,
                         const char *data)
 {
    qemuDomainObjPrivatePtr priv = vm->privateData;
+    virQEMUDriverPtr driver = priv->driver;
    char *configFile;
    int ret = -1;

@@ -6058,6 +6059,9 @@ qemuProcessSEVCreateFile(virDomainObjPtr vm,
        goto cleanup;
    }

+    if (qemuSecurityDomainSetPathLabel(driver, vm, configFile, true) < 0)
+        goto cleanup;
+
    ret = 0;
 cleanup:
    VIR_FREE(configFile);